Skip to content

Commit

Permalink
Merge pull request #62 from jordojordo/release-kw-2.0.0
Browse files Browse the repository at this point in the history
Release Kubewarden 2.0.0
  • Loading branch information
jordojordo authored Aug 1, 2024
2 parents 0c12359 + 6032c9f commit 2072f85
Show file tree
Hide file tree
Showing 46 changed files with 523 additions and 2 deletions.
Binary file added assets/kubewarden/kubewarden-2.0.0.tgz
Binary file not shown.
17 changes: 17 additions & 0 deletions charts/kubewarden/2.0.0/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/kube-version: '>= v1.16.0-0 < v1.31.0-0'
catalog.cattle.io/namespace: cattle-ui-plugin-system
catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux, windows
catalog.cattle.io/rancher-version: '>= 2.9.0-0'
catalog.cattle.io/scope: management
catalog.cattle.io/ui-component: plugins
catalog.cattle.io/ui-extension-version: '>= 2.0.0'
apiVersion: v2
appVersion: 2.0.0
description: Kubewarden extension for Rancher Manager
name: kubewarden
type: application
version: 2.0.0
icon: https://raw.githubusercontent.com/rancher/ui-plugin-charts/main/icons/kubewarden/2.0.0-icon-kubewarden.svg
7 changes: 7 additions & 0 deletions charts/kubewarden/2.0.0/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Kubewarden Extension for Rancher Manager

An extension for Rancher Manager which allows you to interact with Kubewarden.

After installation, go to a cluster and you will see a new side navigation entry 'Kubewarden'. This will allow you to install Kubewarden into the cluster and manage Kubewarden resources and configuration.

For more information see https://www.kubewarden.io/
63 changes: 63 additions & 0 deletions charts/kubewarden/2.0.0/templates/_helpers.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "extension-server.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "extension-server.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}


{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "extension-server.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Common labels
*/}}
{{- define "extension-server.labels" -}}
helm.sh/chart: {{ include "extension-server.chart" . }}
{{ include "extension-server.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}

{{/*
Selector labels
*/}}
{{- define "extension-server.selectorLabels" -}}
app.kubernetes.io/name: {{ include "extension-server.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

{{/*
Pkg annotations
*/}}
{{- define "extension-server.pluginMetadata" -}}
{{- with .Values.plugin.metadata }}
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
14 changes: 14 additions & 0 deletions charts/kubewarden/2.0.0/templates/cr.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: catalog.cattle.io/v1
kind: UIPlugin
metadata:
name: {{ include "extension-server.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{ include "extension-server.labels" . | nindent 4 }}
spec:
plugin:
name: {{ include "extension-server.fullname" . }}
version: {{ (semver (default .Chart.AppVersion .Values.plugin.versionOverride)).Original }}
endpoint: https://raw.githubusercontent.com/rancher/ui-plugin-charts/main/extensions/kubewarden/2.0.0
noCache: {{ .Values.plugin.noCache }}
noAuth: {{ .Values.plugin.noAuth }}
metadata: {{ include "extension-server.pluginMetadata" . | indent 6 }}
11 changes: 11 additions & 0 deletions charts/kubewarden/2.0.0/values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
nameOverride: ""
fullnameOverride: ""
plugin:
enabled: true
versionOverride: ""
noCache: false
noAuth: false
metadata:
catalog.cattle.io/kube-version: ">= v1.16.0-0 < v1.31.0-0"
catalog.cattle.io/rancher-version: ">= 2.9.0-0"
catalog.cattle.io/ui-extension-version: ">= 2.0.0"
36 changes: 36 additions & 0 deletions extensions/kubewarden/2.0.0/files.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
plugin/assets/airgap-installation.md
plugin/img/harvester.765f68bd.png
plugin/img/icon-kubewarden.3c183b75.svg
plugin/kubewarden-2.0.0.umd.min.0.js
plugin/kubewarden-2.0.0.umd.min.0.js.map
plugin/kubewarden-2.0.0.umd.min.13.js
plugin/kubewarden-2.0.0.umd.min.13.js.map
plugin/kubewarden-2.0.0.umd.min.14.js
plugin/kubewarden-2.0.0.umd.min.14.js.map
plugin/kubewarden-2.0.0.umd.min.15.js
plugin/kubewarden-2.0.0.umd.min.15.js.map
plugin/kubewarden-2.0.0.umd.min.airgap-docs.js
plugin/kubewarden-2.0.0.umd.min.airgap-docs.js.map
plugin/kubewarden-2.0.0.umd.min.detail.js
plugin/kubewarden-2.0.0.umd.min.detail.js.map
plugin/kubewarden-2.0.0.umd.min.dialog.js
plugin/kubewarden-2.0.0.umd.min.dialog.js.map
plugin/kubewarden-2.0.0.umd.min.edit.js
plugin/kubewarden-2.0.0.umd.min.edit.js.map
plugin/kubewarden-2.0.0.umd.min.formatters.js
plugin/kubewarden-2.0.0.umd.min.formatters.js.map
plugin/kubewarden-2.0.0.umd.min.js
plugin/kubewarden-2.0.0.umd.min.js.map
plugin/kubewarden-2.0.0.umd.min.list.js
plugin/kubewarden-2.0.0.umd.min.list.js.map
plugin/kubewarden-2.0.0.umd.min.policyDashboard0.js
plugin/kubewarden-2.0.0.umd.min.policyDashboard0.js.map
plugin/kubewarden-2.0.0.umd.min.policyDashboard1.js
plugin/kubewarden-2.0.0.umd.min.policyDashboard1.js.map
plugin/kubewarden-2.0.0.umd.min.vendors~detail.js
plugin/kubewarden-2.0.0.umd.min.vendors~detail.js.map
plugin/kubewarden-2.0.0.umd.min.vendors~edit.js
plugin/kubewarden-2.0.0.umd.min.vendors~edit.js.map
plugin/kubewarden-2.0.0.umd.min.vendors~markdown.js
plugin/kubewarden-2.0.0.umd.min.vendors~markdown.js.map
plugin/package.json
155 changes: 155 additions & 0 deletions extensions/kubewarden/2.0.0/plugin/assets/airgap-installation.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,155 @@
# Air gap installation

This guide will show you how to install Kubewarden in air-gapped environments. In an air-gapped installation of Kubewarden,
you will need a private OCI registry accessible by your Kubernetes cluster. Kubewarden Policies
are WebAssembly modules; therefore, they can be stored inside an OCI-compliant registry as OCI artifacts.
You need to add Kubewarden's images and policies to this OCI registry. Let's see how to do that.

## Requirements

1. Private registry that supports OCI artifacts, [here](../../distributing-policies/oci-registries-support) you can find a list of supported OCI registries. It will be used for storing the container images and policies.
2. [kwctl](https://github.com/kubewarden/kwctl) 1.3.1 or above
3. docker v20.10.6 or above

## Save container images in your workstation

1. Download `kubewarden-images.txt` from the Kubewarden [release page](https://github.com/kubewarden/helm-charts/releases/). Alternatively, the `imagelist.txt` and `policylist.txt` files are shipped inside the helm charts containing the used container images and policy wasm modules, respectively.

>**Note:** Optionally, you can verify the signatures of the [helm charts](../../security/verifying-kubewarden#helm-charts) and [container images](../../security/verifying-kubewarden#container-images)
2. Add `cert-manager` if it is not available in your private registry.

```
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm pull jetstack/cert-manager
helm template ./cert-manager-<Version>.tgz | \
awk '$1 ~ /image:/ {print $2}' | sed s/\"//g >> ./kubewarden-images.txt
```

3. Download `kubewarden-save-images.sh` and `kubewarden-load-images.sh` from the [utils repository](https://github.com/kubewarden/utils).
4. Save Kubewarden container images into a .tar.gz file:

```
./kubewarden-save-images.sh \
--image-list ./kubewarden-images.txt \
--images kubewarden-images.tar.gz
```

Docker begins pulling the images used for an air gap install. Be patient. This process takes a few minutes.
When the process completes, your current directory will output a tarball named `kubewarden-images.tar.gz`. It will be present in the same directory where you executed the command.

## Save policies in your workstation

1. Add all the policies you want to use in a `policies.txt` file. A file with a list of the default policies can be found in the Kubewarden defaults [release page](https://github.com/kubewarden/helm-charts/releases/)
2. Download `kubewarden-save-policies.sh` and `kubewarden-load-policies.sh` from the [kwctl repository](https://github.com/kubewarden/kwctl/tree/main/scripts)
3. Save policies into a .tar.gz file:

```
./kubewarden-save-policies.sh --policies-list policies.txt
```

kwctl downloads all the policies and stores them as `kubewarden-policies.tar.gz` archive.

## Helm charts

You need to download the following helm charts in your workstation:

```
helm pull kubewarden/kubewarden-crds
helm pull kubewarden/kubewarden-controller
helm pull kubewarden/kubewarden-defaults
```

Download `cert-manager` if it is not installed in the air gap cluster.

```
helm pull jetstack/cert-manager
```

## Populate private registry

Move `kubewarden-policies.tar.gz`, `kubewarden-images.tar.gz`, `kubewarden-load-images.sh`, `kubewarden-load-policies.sh` and `policies.txt`
to the air gap environment.

1. Load Kubewarden images into the private registry. Docker client must be authenticated against the local registry
```
./kubewarden-load-images.sh \
--image-list ./kubewarden-images.txt \
--images kubewarden-images.tar.gz \
--registry <REGISTRY.YOURDOMAIN.COM:PORT>
```
2. Load Kubewarden policies into the private registry. Kwctl must be authenticated against the local registry (`kwctl` uses the same mechanism to authenticate as `docker`, a `~/.docker/config.json` file)
```
./kubewarden-load-policies.sh \
--policies-list policies.txt \
--policies kubewarden-policies.tar.gz \
--registry <REGISTRY.YOURDOMAIN.COM:PORT> \
--sources-path sources.yml
```

>***Caution:***
>The `sources.yaml` file is needed by kwctl to connect to registries that fall into these categories:
>
>* Authentication is required
>* Self signed certificate is being used
>* No TLS termination is done
>
>Please refer to [the section on custom certificate authorities](../../distributing-policies/custom-certificate-authorities.md) in our documentation to learn more about configuring the `sources.yaml` file

## Install Kubewarden

Let's install Kubewarden now that we have everything we need in our private registry. The only difference with a normal
Kubewarden installation is that we need to change the registry in the container images and policies to our private registry.

Install `cert-manager` if it is not already installed in the air gap cluster:

```
helm install --create-namespace cert-manager ./cert-manager-<Version>.tgz \
-n kubewarden \
--set installCRDs=true \
--set image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/jetstack/cert-manager-controller \
--set webhook.image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/jetstack/cert-manager-webhook \
--set cainjector.image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/jetstack/cert-manager-cainjector \
--set startupapicheck.image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/jetstack/cert-manager-ctl
```

Let's install the Kubewarden stack:

```
helm install --wait -n kubewarden \
kubewarden-crds kubewarden-crds.tgz
```

```
helm install --wait -n kubewarden \
kubewarden-controller kubewarden-controller.tgz \
--set global.cattle.systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT>
```

```
helm install --wait -n kubewarden \
kubewarden-defaults kubewarden-defaults.tgz \
--set global.cattle.systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT>
```

>***Caution***
>To download the recommended policies installed by the `kubewarden-defaults` Helm
>Chart from a registry other than `global.cattle.systemDefaultRegistry`, you can
>utilize the `recommendedPolicies.defaultPoliciesRegistry` configuration. This
>configuration allows users to specify a registry dedicated to pulling the OCI
>artifacts of the policies. It is particularly useful when their container image
>repository does not support OCI artifacts.
>
>To install and wait for the installation to complete, use the following command:
>
>```console
>helm install --wait -n kubewarden \
> kubewarden-defaults kubewarden-defaults.tgz \
> --set global.cattle.systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> \
> --set recommendedPolicies.defaultPoliciesRegistry=<REGISTRY.YOURDOMAIN.COM:PORT>
>```
>
>If the `recommendedPolicies.defaultPoliciesRegistry` configuration is not set,
>the `global.cattle.systemDefaultRegistry` will be used as the default registry.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 2072f85

Please sign in to comment.